CISA Orders Urgent Patch for Actively Exploited Windows Shell Vulnerability

Microsoft has released an urgent fix for a Windows Shell vulnerability that is now actively exploited in the wild, raising concerns despite its relatively low severity score.

The flaw, tracked as CVE-2026-32202, has been added to the Known Exploited Vulnerabilities catalog by the Cybersecurity and Infrastructure Security Agency, triggering a directive that requires U.S. federal agencies to apply patches by May 12. Microsoft confirmed active exploitation on April 27, marking a significant escalation from what initially appeared to be a limited issue.

Incomplete patch led to a new attack path

The vulnerability traces back to an earlier flaw, CVE-2026-21510, which Microsoft attempted to fix in February 2026. That update successfully addressed a remote code execution risk but failed to fully eliminate an authentication bypass vector. This oversight allowed attackers to continue exploiting the system through a different path.

Security analysis later confirmed that the incomplete fix left systems exposed to a zero-click attack scenario, where users do not need to open or execute any files to be compromised.

Zero-click exploit via Windows Explorer

The attack method relies on malicious shortcut (.LNK) files placed inside folders. When a user simply browses the folder using Windows Explorer, the system automatically processes embedded UNC paths within the shortcut.

This triggers a connection to an attacker-controlled server over SMB, leaking the user’s NTLMv2 hash without any interaction. Because the process happens silently, users receive no warning or prompt.

Real-world impact outweighs severity score

Although the vulnerability carries a CVSS score of 4.3, typically classified as medium severity, its real-world implications are far more serious. Attackers can capture NTLMv2 hashes and use them in relay attacks across networked systems.

This opens the door to lateral movement, privilege escalation, and potential full network compromise. In some cases, attackers may also crack stolen credentials offline, further increasing the risk.

Security researchers have validated this attack chain in real-world scenarios, confirming that the leftover vector from the earlier patch remains highly exploitable.

Patch now available, but not without issues

Microsoft addressed the vulnerability on April 14 with a fix included in the KB5083769 update for Windows 11 versions 24H2 and 25H2. Systems that do not install this update remain vulnerable to the zero-click exploit.

However, the rollout has not been entirely smooth. Some users, particularly on HP and Dell devices, have reported boot loop issues after installing the update. Microsoft has provided recovery guidance for affected systems, but the issue adds friction to an already urgent patching process.

Broader security pressure builds

The patch arrives as Microsoft continues pushing users from Windows 11 24H2 to 25H2 ahead of the October 13 support deadline. Systems that delay updates now face increased exposure, especially with confirmed active exploitation in the wild.

This vulnerability also comes amid a broader wave of security alerts. The Cybersecurity and Infrastructure Security Agency has recently issued additional warnings, including directives to patch the BlueHammer flaw, highlighting a growing urgency around timely updates.

Urgent action recommended

Organizations and individual users should prioritize installing the KB5083769 update immediately. Despite reported installation issues on some systems, the risk of leaving systems unpatched remains significantly higher.

Where update-related problems occur, Microsoft advises following official recovery steps to stabilize affected devices while maintaining protection against active threats.

Via Notebook Check